Cambridge Innovation Institute and GDPR
Cambridge Healthtech Institute is a division of Cambridge Innovation Institute (CII). CII delivers cutting edge information through events, publishing, and training to leading commercial, academic, government and research institutes across the life science and energy industries. Cambridge Innovation Institute consists of two business areas: our coverage of advances in life sciences under the well-established Cambridge Healthtech Institute (CHI) brand, and coverage of rechargeable batteries under the newly established Cambridge EnerTech (CET) brand. We focus on high technology fields where research and development are essential for the advancement of innovation.
CHI’s events, publications, training material and other services are marketed through direct marketing channels including email, direct mail, telemarketing, and fax.
The notice details the CII position and approach to GDPR, and the steps it has taken to become compliant.
It covers Cambridge Innovation Institute and its affiliates and subsidiaries listed below:
- Cambridge EnerTech
- Cambridge Healthtech Institute
- Barnett International
- Bio-IT World Magazine
- Insight Pharma Reports
- Cambridge Healthtech Publishing
Cambridge Innovation Institute and Legitimate Interest
Cambridge Innovation Institute (CHI) will use Legitimate Interest as the basis of its GDPR compliance.
CII’s Legitimate Interest justification is based on the following excerpt from the General Data Protection Regulation which outlines where Legitimate Interest can be used:
Under Article 6 1(f)
‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child.’
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
Under Recital 47
‘The legitimate interests of a controller, including those of a controller to which the Personal Data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
Further, the GDPR states that “the processing of Personal Data for direct marketing purposes may be carried out for a legitimate interest. An organization may wish to rely upon Legitimate Interests where consent is not viable or not preferred and the balance of interests condition can be met.” CII has thus carried out a Legitimate Interest Assessment
Our Legitimate Interest Assessment has been a 3-step process:
Legitimate Interest Assessment
- Identifying a Legitimate Interest
- Carrying out a Necessity Test
- Carrying out a Balancing Test
Identifying a Legitimate Interest
CII has a legitimate interest in processing the personal data of data subjects that are likely to attend or purchase CII events and information services. The only personal data that is held and stored and processed by CII is name, business job function, and contact details. Segmentation is done by their past transactional history, if any, and their organization’s industry or research sector. All the services provided by CII have direct relevance to the data subject.
The processing is necessary in pursuit of the interests above. CII has examined alternatives and the only alternative available – unambiguous opt-in – was reviewed and rejected as impossible to implement given the range of our products and services. Of particular note, our events are held all over the world at different times and places, often with significant time gaps. Consent might well then expire between relevant events. Our publishing schedule is similarly uneven across our multiple sectors.
CII has conducted a balancing test to ensure that our interests do not override those of data subjects.
We believe that the data subjects will have a reasonable expectation of being contacted by CII because of their job responsibilities.
The data we hold and use is always connected to an individual’s business and professional responsibilities.
All data subjects are given notice and choice when added to the database. They are informed about the legal basis of our processing, the purpose of this (for use by CII and its partners for marketing). They will have access to the data we store about them and it will be kept accurate and secure.
They will be informed that all marketing activities will be carried out in accordance with local laws and regulations.
Cambridge Innovation Institute Compliance Process
As part of our compliance, we have implemented the following
a) Internal Policies
- Policies are written and include: basis for process justification (balancing test for Legitimate Interest); data collection; data retention; data security and breach; cookies.
b) External Policies
c) Systems/Process Changes (as needed)
- Recording and managing of notice, opt-in/opt-out, accuracy, ability to support right of access, security, portability.
d) Systems/Process Documentation
- Data map and flows; include LI assessments written above; record of processing activity
- Contracts with data suppliers, data processors, customers have been updated.
- Review of process undertaken and documented